CRMy
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: crmy Version: 0.5.11 The skill bundle is a legitimate integration for a CRM platform called CRMy. It provides a comprehensive set of tools for managing contacts, accounts, and sales pipelines via a REST API. The code handles configuration and authentication by reading from a local config file (~/.crmy/config.json) or environment variables, which is standard practice for such integrations. The SKILL.md instructions are well-structured, focusing on proactive CRM management and data integrity without any signs of prompt injection or malicious redirection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant can make persistent CRM changes, such as creating contacts, updating contact fields, logging activities, and moving relationship or deal state when the workflow calls for it.
The plugin exposes tools that can create and update CRM records through the CRMy API. This matches the stated CRM-management purpose, but it is still meaningful mutation authority over business data.
handler: async (input) => client.post('/contacts', input) ... handler: async ({ id, ...rest }) => client.patch(`/contacts/${id as string}`, rest)Use the skill only if you want the agent to manage CRMy data. Keep human confirmation for important updates, stage changes, and bulk actions, and verify search matches before writing.
Anyone who can direct this skill through the agent can cause authenticated actions against the configured CRMy server within the API key's permissions.
The plugin reads a CRMy API key from configured sources and uses it as a Bearer token for CRMy API requests. This is expected for authenticated CRM access, but the credential grants account authority.
const raw = fs.readFileSync(path.join(os.homedir(), '.crmy', 'config.json'), 'utf-8'); ... const apiKey = pluginConfig?.apiKey ?? process.env.CRMY_API_KEY ?? fileConfig.apiKey ?? ''; ... 'Authorization': `Bearer ${cfg.apiKey}`Use a trusted CRMy server URL, prefer a least-privilege API key, protect ~/.crmy/config.json and CRMY_API_KEY, and avoid running the skill in environments where untrusted prompts can trigger CRM writes.